NAPTの作り方

NAPTの構築変えるファイルは3つ - /etc/default/ufw - /etc/ufw/sysctl.conf - /etc/ufw/before.rules

>の方に合わせる sudo 権限を使って書き換えること

$ diff /etc/default/ufw ufw

diff /etc/default/ufw ufw

19c19
< DEFAULT_FORWARD_POLICY="DROP"
---
> DEFAULT_FORWARD_POLICY="ACCEPT"

$ diff /etc/ufw/sysctl.conf sysctl.conf

diff /etc/ufw/sysctl.conf sysctl.conf

10c10
< #net/ipv4/ip_forward=1
---
> net/ipv4/ip_forward=1

$ sudo diff /etc/ufw/before.rules before.rules

diff /etc/ufw/before.rules before.rules

10a11,15
> *nat
> -F
> :POSTROUTING ACCEPT [0:0]
> -A POSTROUTING -s 192.168.20.0/24 -o ens160 -j MASQUERADE
> COMMIT

$ ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:ea:ed brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.20.1/24 brd 192.168.20.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe94:eaed/64 scope link
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:bf:15 brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 10.204.227.167/24 brd 10.204.227.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe94:bf15/64 scope link
       valid_lft forever preferred_lft forever

/etc/ufw/before.rules ---追記内容(*filterの上に書く)---

/etc/ufw/before.rules

*nat
-F
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.20.0/24 -o ens192 -j MASQUERADE
COMMIT

napt.shを作成

napt.sh

#!/bin/bash
set -eux

ufw logging low
ufw allow ssh
echo "y" | ufw enable
ufw reload
ufw status verbose

$ sudo napt.sh

+ ufw logging low
Logging enabled
+ ufw allow ssh
Rules updated
Rules updated (v6)
+ echo y
+ ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? Firewall is active and enabled on system startup
+ ufw reload
Firewall reloaded
+ ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)